With Layer 7 virtual servers, you can optionally configure load balancer persistence, client-side SSL, and server-side SSL profiles.

Note: SSL profile is not supported in the NSX-T Data Center 2.2 limited export release.

If a client-side SSL profile binding is configured on a virtual server but not a server-side SSL profile binding, then the virtual server operates in an SSL-terminate mode, which has an encrypted connection to the client and plain text connection to the server. If both the client-side and server-side SSL profile bindings are configured, then the virtual server operates in SSL-proxy mode, which has an encrypted connection both to the client and the server.

Associating server-side SSL profile binding without associating a client-side SSL profile binding is currently not supported. If a client-side and a server-side SSL profile binding is not associated with a virtual server and the application is SSL-based, then the virtual server operates in an SSL-unaware mode. In this case, the virtual server must be configured for Layer 4. For example, the virtual server can be associated to a fast TCP profile.

Prerequisites

Verify a Layer 7 virtual server is available. See Configure Layer 7 Virtual Servers.

Procedure

  1. Open the Layer 7 virtual server.
  2. Skip to the Load Balancing Profiles page.
  3. Toggle the Persistence button to enable the profile.
    Persistence profile allows related client connections to be sent to the same server.
  4. Select either the Source IP Persistence or Cookie Persistence profile.
  5. Select the existing persistence profile from the drop-down menu.
  6. Click Next.
  7. Toggle the Client Side SSL button to enable the profile.
    Client-side SSL profile binding allows multiple certificates, for different host names to be associated to the same virtual server.
    The associated Client-side SSL profile is automatically populated.
  8. Select a default certificate from the drop-down menu.
    This certificate is used if the server does not host multiple host names on the same IP address or if the client does not support Server Name Indication (SNI) extension.
  9. Select the available SNI certificate and click the arrow to move the certificate to the Selected section.
  10. (Optional) Toggle the Mandatory Client Authentication to enable this menu item.
  11. Select the available CA certificate and click the arrow to move the certificate to the Selected section.
  12. Set the certificate chain depth to verify the depth in the server certificates chain.
  13. Select the available CRL and click the arrow to move the certificate to the Selected section.
    A CRL can be configured to disallow compromised server certificates.
  14. Click Next.
  15. Toggle the Server Side SSL button to enable the profile.
    The associated Server-side SSL profile is automatically populated.
  16. Select a client certificate from the drop-down menu.
    The client certificate is used if the server does not host multiple host names on the same IP address or if the client does not support Server Name Indication (SNI) extension.
  17. Select the available SNI certificate and click the arrow to move the certificate to the Selected section.
  18. (Optional) Toggle the Server Authentication to enable this menu item.
    Server-side SSL profile binding specifies whether the server certificate presented to the load balancer during the SSL handshake must be validated or not. When validation is enabled, the server certificate must be signed by one of the trusted CAs whose self-signed certificates are specified in the same server-side SSL profile binding.
  19. Select the available CA certificate and click the arrow to move the certificate to the Selected section.
  20. Set the certificate chain depth to verify the depth in the server certificates chain.
  21. Select the available CRL and click the arrow to move the certificate to the Selected section.
    A CRL can be configured to disallow compromised server certificates. OCSP and OCSP stapling are not supported on the server-side.
  22. Click Finish.